Oauth

From Logic Wiki
Jump to: navigation, search

Allows an application to access specific resources on behalf of a user

https://knpuniversity.com/screencast/oauth/intro#play

OAuth Actors

OAuth Provider

Based on 3 components

Authentication Provider

Username and Password

Consent Server

Which parts of system a client can access

Token Management Infrastructure

it keeps data like : Access token, refresh token, when it was created and when it's invalid, when it's revoked

Resource Provider

Makes a protected resource available via HTTP Protocol

ie : Twitter

Resource Server

  • Holds Resources
  • Protects resources
  • Makes resources available via API

Resource Owner

Owner of the protected resource.

  • Owns resources
  • Delegates right to access the resource to a third party app

ie : @aliiybar

Client

An application trying to access a protedted resource.

  • Wants to access resources
  • Gets and holds Access Token and Refresh Token
  • Should NOT hold password of Resource Owner
  • Identified via ClientID and Client Secret


ie : Mobile app

OAuth Server - Endpoints

/authorize GET

Input Query Parameters

  • state
  • scope
  • response_type
  • client_id
  • redirect_uri

Output

according to response_type the output is one of the items below

  • Authorization Code (for Authorization Code Grant)
  • Access Token (for Implicit Grant)

/token POST

Authorization : Basic clientId:clientSecret

Input Query Parameters

  • grant_type
  • code
  • client_id
  • redirect_uri

Output

  • Access Token and Refresh Token (for)
    • Authorization Code Grant,
    • Client Credentials Grant and
    • Resource Owner Password Credentials Grant

/verify - not standardized

only internally accessible by Resource Server

Client - Redirect Endpoints

Redirect URI (GET)

Input Query Parameter

  • state
  • scopes
  • code

Resource Server - Resource Endpoint

/api Authorisation : Bearer {Access Token}

Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and Resource Owner Password Credentials Grant)

Tokens

  • Access Token
  • Refresh Token (it's only for getting a new Access Token, cannot be used to access resources)
  • Authorisation Code it's valid for just few minutes. It's for getting Access Token. It can only be processed by OAuth Server it will never be sent to resource provider

Credentials

  • Resource Owner Credentials
  • Client Credentials : ClientID & ClientSecret
  • Access Token
  • Refresh Token
  • Authorisation Code

Client Registration

  • With OAuth Provider
  • Client porvides to OAuth Provider
    • Redirect URI
    • Required Scopes
  • Client obtains from OAuth Provider
    • ClientID
    • ClientSecret

OAuth Flow

Udemy Lesson

OauthFlows.jpg

OAUTH Flow 1.jpg

OAUTH Flow 2.jpg

OAUTH Flow 3.jpg

Retrieved from "http://logicwiki.co.uk/index.php?title=Oauth&oldid=2504"